Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

Using ADS to hide information in a file

  1. Open the windows terminal and create a text file:
C:> echo The quick brown fox > fox.txt

This command saves the echoed string to a text file called fox.txt

  1. View the contents of fox.txt:
C:> type fox.txt

The quick brown fox
  1. Append new content to the hidden file
C:> echo jumps over the lazy dog > fox.txt:this_is_hidden

It seems we have created a new file called fox.txt:this_is_hidden, but that is not the case, this_is_hidden is an alternate data stream on the fox.txt file, and there is no file named fox.txt:this_is_hidden

C:> type fox.txt:this_is_hidden

The filename, directory name or volume label syntax is incorrect

We can reveal the contents of the file with a different command:

C:> more < fox.txt:this_is_hidden

jumps over the lazy dog

The ‘original’ data is still there.

C:> type fox.txt

The quick brown fox

Yet, there’s only one file in the directory, which is fox.txt:

C:> dir

Note:

  • The file timestamp changes after adding an ADS to a file. That is the only indication that a change has happened.
  • The file size remains unchanged when adding an ADS. This implies that you could have many ADS files within a file without your knowledge.
  • Because of this subtlety, it can be difficult to detect ADS.

Example of abusing ADS in malware:

c:> type c:\windows\system32\rundll32.exe > fox.txt:rundll32.exe

Here we have copied rundll32 into a new stream on fox.txt.

To run this hidden copy of rundll32.exe directly from ADS, we run:

c:>start c:\fox.txt:rundll32.exe

Note that we can replace rundll32 with any particularly nasty malware.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment